You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/03/12 20:26:09 UTC
[GitHub] [knox] moresandeep opened a new pull request #70: KNOX-1817 - Fix
XSS issues with Alias API
moresandeep opened a new pull request #70: KNOX-1817 - Fix XSS issues with Alias API
URL: https://github.com/apache/knox/pull/70
## What changes were proposed in this pull request?
The Alias API was passing user input back in some cases as response without encoding, this was when an error was thrown or when a response message saying 'alias' for a 'topology' was created. This opens up the API for XSS attacks. The PR:
1. Adds encoding to the data that is going out as response.
2. Decodes the user inputs - since the api uses application/x-www-form-urlencoded
## How was this patch tested?
The patch was tested manually e.g.
`curl -iku admin:admin-password -H "Content-Type: application/json" -d "value=mysecret" -X PUT 'https://localhost:8443/gateway/admin/api/v1/aliases/sandbox/somelongreallylongalias<>'
HTTP/1.1 201 Created
Date: Tue, 12 Mar 2019 19:54:00 GMT
Set-Cookie: KNOXSESSIONID=node0tb9bz05vhh6k1xpp0ti2p0vqh2.node0;Path=/gateway/admin;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Mon, 11-Mar-2019 19:54:00 GMT
Content-Type: application/json
Content-Length: 85
Server: Jetty(9.4.15.v20190215)
{ "created" : { "topology": "sandbox", "alias": "somelongreallylongalias<>" } }`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services